Windows Information Protection

Use this profile configuration to assign a Windows Information Protection policy to your devices when:

Only one Windows Information Protection profile configuration can be assigned and installed on a device. Additional Windows Information Protection profile configurations assigned to a device will be ignored.

General

Use the options on the General tab of the WIP profile configuration to control the behavior of WIP on your devices.

Protection Level Select one of the following options to set the protection level for your enterprise data.
  • Block: Prevents Enterprise Data from leaving Enforced applications or networks.
  • Override: Allows device user to share protected data. However, user is notified that the shared data is protected and all overrides are logged.
  • Silent: Allows device user to share protected data without notification. All actions are logged.
  • Off: Allows device user to share protected data without notification and no actions are logged.
Allow User to Decrypt Data When enabled, device users can decrypt any data created or edited by enforced applications by entering the file's Properties and deselecting the appropriate checkboxes.
Revoke Encryption Keys on Device Unenrollment When enabled, the device user's local encryption keys are revoked when the device is unenrolled.
Allow Encrypted Data and Store Apps to Appear in Windows Search When enabled, Windows Search can search and index encrypted corporate data and Store applications.
Data Recovery Certificate Use this section to add data recovery certificates. A data recovery certificate enables you to recover encrypted data that might be lost if an account is locked or becomes inaccessible, by verifying your right to access that information.
Note: It is recommended that you use a Data Recovery Agent (DRA) template from ADCS.

Applications

Use the Applications tab to specify which applications have access to enterprise data on your devices.

Applications are divided into two sections: Legacy Applications (*.msi) and Modern Applications (*.appx). Applications with a lightbulb icon are Enlightened Applications. Enlightened applications can differentiate between corporate and personal data and only encrypt corporate data. Unenlightened applications consider all data corporate and encrypt everything. Exempt applications are allowed to access enterprise data without encrypting it.

For each application you can select one of the following options:

  • Allow: Applies your WIP policy to this application
  • Block: Blocks the application from accessing your enterprise data
  • Exempt: Exempts the applications from your WIP policy, allowing it to access enterprise data without encryption. This option is primarily for applications that may have compatibility issues with WIP but are necessary for your company's productivity. Use this option carefully as exemption from WIP increases the chances of a data leak from your applications.

Networks

Use the Networks tab to set boundaries for the Windows Information Protection profile configuration. Each of the three network setting types (IP Address Range, Network Domain, and Protected Domain) must be configured, and you can configure multiple values for each type.

Enterprise Cloud Resource

Contains a list of Enterprise resource domains hosted in the cloud that need to be protected. Connections to these resources are considered enterprise data. If a proxy is paired with a cloud resource, traffic to the cloud resource will be routed through the enterprise network via the the denoted proxy server on Port 80.

Domain Enter a qualified enterprise resource domain.
Proxy This field is optional. Enter the address of a proxy associated with the domain.

Enterprise Cloud Resources App Compatibility switch permits a connection to certain IP addresses. Connections to cloud resources through an IP address are blocked by default as Windows cannot tell the difference between a cloud resource and a personal site.

IP Address Range

Enter the range of IP addresses where enterprise data is accessible to your device users. Device users cannot access enterprise data while they are outside this range. You can add multiple IP address ranges.

Type Select an internet protocol version: IPv4 or IPv6.
Starting Address Enter the starting address for your IP address range.
Ending Address Enter the ending address for your IP address range.

Enterprise IP Ranges are Authoritive switch tells the client to accept the configured list and not to attempt to find other subnets. Related to the list of IP Address Ranges, and is a yes or no across all addresses in that list.

Enterprise Internal Proxy Servers

These proxies which are considered to be enterprise network locations, have been configured by the administrator to connect to specific resources on the internet. You should not add servers listed in your Proxy servers list. Internal proxy servers must be used only for WIP-protected (enterprise) traffic.

Address Enter the address of a specific resource on the internet. For example, sample.internalproxy1.com

Domains

Enter the network or protected domain where your enterprise data is accessible to your device users. You must specify a fully qualified domain name. All traffic to the network domains on this list will be protected. You can add multiple domains.

Type Select the domain type you are configuring. This field is read-only when you are editing an existing domain.
Location Enter a fully qualified domain name.

Enterprise Proxy Servers

Any server on this list is considered non-enterprise.

Address Enter the address of a valid Enterprise Proxy Server.

Enterprise Proxy Servers are Authoritative switch tells the client to accept the configured list of proxies and not to detect other work proxies.

Neutral Resources

List of domain names that can be used for a work or personal resource.

Location Enter the address of a location that is considered enterprise or personal, based on the context of the connection before the redirection. For example, sts.contoso.com.